[Snort-sigs] Signature Definition #354, 1 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 05:05:13 EDT 2003

Rule: -- FTP iss scan 
Sid: -- 354 
Summary: -- This signature detects an ISS Scan scanning to any box on the
network to port 21.  ISS Scanner uses the string iss at ...1576... as a password to
login to an FTP Server
Impact: -- If you have unknown anonymous login boxes on your network, this
will help you remedy that.
Detailed Information: -- ISS Scanner is a vulnerability detection tool
(currently in version 7.0) that attempts logins (per policy use) to network
boxes on port 21.  for a password the ISS Scanner will use the string "pass
-iss at ...1576...".
Affected Systems: -- FTP Servers known or unknown with anonymous login
Attack Scenarios: -- 
Ease of Attack: -- Easy
False Positives: -- If a user uses the password string "iss at ...1576..." upon FTP
login it can trigger this signature
False Negatives: -- 
Corrective Action: -- Disable anonymous login on FTP Servers and require
users to authenticate with a secure password.  Block offending IP's at the
Contributors: -- Joel Esler
Additional References: arachnids,331 <http://www.whitehats.com/info/IDS331>

More information about the Snort-sigs mailing list